ESC doesn't exit full screen using the full screen api in the new nightly build

RESOLVED INVALID

Status

()

RESOLVED INVALID
7 years ago
7 years ago

People

(Reporter: frankxrwang, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

7 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0a1) Gecko/20110927 Firefox/9.0a1
Build ID: 20110927030845

Steps to reproduce:

Firefox 9.0 doesn't properly allow a user to exit a full screen triggered by invoking the full-screen api using "ESC" key, thus enabling spoofing attack.
Step to reproduce the bug.
1. goto www.sierramellon.info
2. click full-screen (invoking full-screen api on a div element and navigate to a new page)
3. click submit (invoking full-screen api on a div element again and navigate to a spoofing page)
4. Pressing ESC doesn't help for exiting the BSOD page.

The purpose of using mytest.html to transition is to distract user from noticing the animation of menu bar disappearing when entering full-screen. In this case, a user might not notice he/she is already in full-screen and spoofing attack later is possible.

Attack created by Nicholai, Sang, and Xiaoran


Actual results:

Pressing ESC doesn't exit the full-screen page triggered previously by the full-screen api


Expected results:

Pressing ESC should exit full screen if it was triggered by a full-screen api. 
See the following test cases.
http://pearce.org.nz/full-screen/
(Reporter)

Updated

7 years ago
Keywords: APIchange
(Reporter)

Updated

7 years ago
Priority: -- → P3

Comment 1

7 years ago
I am never taking to full screen mode in Mozilla/5.0 (Windows NT 5.1; rv:9.0a1) Gecko/20110927 Firefox/9.0a1 ID:20110927030845 with a fresh profile.

Did you have to change default settings to make this attack work?
Keywords: APIchange
Priority: P3 → --
(Reporter)

Comment 2

7 years ago
yes, you have to goto about:config and change full-screen api to be enabled
Priority: -- → P3

Comment 3

7 years ago
The priority flag is for use by developers - please do not change

Able to confirm on Mozilla/5.0 (Windows NT 5.1; rv:10.0a1) Gecko/20110928 Firefox/10.0a1 ID:20110928030855

STR:

Go to about:config and set full-screen-api.enabled to true
Visit http://www.sierramellon.info
Click on Full Screen
Click Submit
Hit Esc

Expected Results
Should exit full screen mode

Actual Results
ESC does not exit full screen mode - have to move cursor to top of page to get the menu
Status: UNCONFIRMED → NEW
Component: Keyboard Navigation → Security
Ever confirmed: true
OS: Linux → All
Priority: P3 → --
QA Contact: keyboard.navigation → firefox
Hardware: x86_64 → All
Version: 9 Branch → Trunk
Why was this moved to Security? It does not seem to be a security bug to me.

Comment 5

7 years ago
It was my best guess at a component - sorry. It is a spoofing possibility...

Should this be filed against the full screen api (don't know where that falls) or back to keyboard navigation?
This should be moved back to Keyboard Navigation unless you have a proof of concept testcase which can prove this is a security issue.

Updated

7 years ago
Component: Security → Keyboard Navigation
QA Contact: firefox → keyboard.navigation

Comment 7

7 years ago
Andrei -> Thought you might be interested
Thanks for filing this bug. This exploit relies upon navigation while in full-screen mode. We're going to force-exit full-screen mode when navigation occurs (bug 685402). That will be implemented before this feature is enabled in a release build.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.